docs: RBAC, identity mapper schema, identity schema

flanksource · Oct 2, 2024 · 97dd788 · 97dd788
1 parent 70a12fd
commit 97dd788
Show file tree

Hide file tree

Showing 6 changed files with 153 additions and 55 deletions.
diff --git a/mission-control/docs/installation/_properties.mdx b/mission-control/docs/installation/_properties.mdx
@@ -4,10 +4,12 @@ import MissionControl from './_properties_mission_control.mdx'
 import Db from './_properties_db.mdx'
 import Agent from './_agent_properties.mdx'
 import Ingress from './_properties_ingress.mdx'
+import IdentityMapper from './_properties_identity_mapper.mdx'
 
 {(!props.section || props.section == "mission-control") && <MissionControl/>}
 {( props.section == "agent") && <Agent/>}
 {(!props.section || props.section == "ingress") && <Ingress/>}
 {(!props.section || props.section == "db") && <Db/>}
 {(!props.section || props.section == "auth") && <Auth/>}
 {(!props.section || props.section == "agent" || props.section == "security") && <Security/>}
+{(!props.section && props.section != "agent") && <IdentityMapper/>}
diff --git a/mission-control/docs/installation/_properties_identity_mapper.mdx b/mission-control/docs/installation/_properties_identity_mapper.mdx
@@ -0,0 +1,82 @@
+### Identity Mapper
+
+The schema for the object to be returned by the identity mapper script.
+
+<Fields rows={
+  [{
+    field: "role",
+    description: "Mission control role. See [RBAC](/reference/rbac)",
+    scheme: "`admin` | `viewer` | `editor`",
+  },
+  {
+    field: "teams",
+    description: "List of name or id of the teams the OIDC identity will be put into",
+    scheme: "`[]string`",
+  }]
+} />
+
+
+#### Kratos Identity
+
+<Fields rows={
+  [
+    {
+      field: "created_at",
+      description: "Timestamp for when the identity was created",
+      scheme: "`timestamp`",
+    },
+    {
+      field: "id",
+      description: "Unique identifier for the identity",
+      scheme: "string",
+    },
+    {
+      field: "metadata_public",
+      description: "Public metadata for the identity",
+      scheme: "`map[string]any`",
+    },
+    {
+      field: "state",
+      description: "Current state of the identity",
+      scheme: "`active` | `inactive`",
+    },
+    {
+      field: "traits",
+      description: "Identity's traits.",
+      scheme: "[`Trait`](#kratos-identity-trait)",
+    },
+    {
+      field: "updated_at",
+      description: "Timestamp for when the identity was last updated",
+      scheme: "`timestamp`",
+    },
+  ]
+} />
+
+#### Kratos Identity Trait
+
+<Fields rows={
+  [
+    {
+      field: "name.first",
+      description: "First name",
+      scheme: "string",
+    },
+    {
+      field: "name.last",
+      description: "Last name",
+      scheme: "string",
+    },
+    {
+      field: "email",
+      description: "Email address",
+      scheme: "string",
+      required: true,
+    },
+    {
+      field: "groups",
+      description: "List of groups the identity belongs to",
+      scheme: "`[]string`",
+    }
+  ]
+} />
diff --git a/mission-control/docs/installation/self-hosted/oidc.mdx b/mission-control/docs/installation/self-hosted/oidc.mdx
@@ -72,7 +72,7 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta
     <p/>
 
 5. Optionally, create a cel expression to map identities from the OIDC provider to a mission control role & team. 
-    _Example_: the following script maps all Azure users in the "SRE" group to the "admin" role & everyone else to a "viewer" role.
+    The following script maps all Azure users in the `SRE` group to the `admin` role and everyone else to the `viewer` role.
 
     ```yaml
     apiVersion: v1
@@ -87,7 +87,7 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta
     ```
     <p/>
 
-    The cel expression is expected to return an object with a `role` & a `teams[]` fields.
+    See [Identity Mapper Schema](/reference/helm/mission-control#identity-mapper) & [RBAC](/reference/rbac)
 
 6. Supply the identity mapper script to mission control.
 

diff --git a/mission-control/docs/reference/helm/mission-control.mdx b/mission-control/docs/reference/helm/mission-control.mdx
@@ -1,59 +1,59 @@
 ---
 title: Mission Control
 ---
-import Properties from '@site/docs/installation/_properties.mdx'
-
 
+import Properties from '@site/docs/installation/_properties.mdx'
 
 export const toc = [
-     {
-        value: "Mission Control",
-        id: "mission-control",
-        level: 2,
-    },
-    {
-        value: "Canary Checker",
-        id: "canary-checker",
-        level: 3,
-    },
-    {
-        value: "Config DB",
-        id: "config-db",
-        level: 3,
-    },
-    {
-        value: "Authentication",
-        id: "authentication",
-        level: 2,
-    },
-
-       {
-        value: "Ingress",
-        id: "ingress",
-        level:2,
-    },
-     {
-        value: "Database",
-        id: "database",
-        level: 2,
-    },
-       {
-        value: "Custom postgres.conf",
-        id: "updating-postgresconf-settings",
-        level: 3,
-    },
-      {
-        value: "Using an External DB",
-        id: "using-an-external-database",
-        level: 3,
-    },
-
-
-
-
-
+  {
+    value: 'Mission Control',
+    id: 'mission-control',
+    level: 2,
+  },
+  {
+    value: 'Canary Checker',
+    id: 'canary-checker',
+    level: 3,
+  },
+  {
+    value: 'Config DB',
+    id: 'config-db',
+    level: 3,
+  },
+  {
+    value: 'Authentication',
+    id: 'authentication',
+    level: 2,
+  },
+
+  {
+    value: 'Ingress',
+    id: 'ingress',
+    level: 2,
+  },
+  {
+    value: 'Database',
+    id: 'database',
+    level: 2,
+  },
+  {
+    value: 'Custom postgres.conf',
+    id: 'updating-postgresconf-settings',
+    level: 3,
+  },
+  {
+    value: 'Using an External DB',
+    id: 'using-an-external-database',
+    level: 3,
+  },
+  {
+    value: 'Identity Mapper',
+    id: 'identity-mapper',
+    level: 2,
+  },
 ]
 
+
 ## Mission Control
 
 <Properties/>
diff --git a/mission-control/docs/reference/index.mdx b/mission-control/docs/reference/index.mdx
@@ -1,9 +1,5 @@
 ---
 title: Reference
 slug: /reference
+sidebar_position: 0
 ---
-
-{/*
-import DocCardList from '@theme/DocCardList';
-
-<DocCardList /> */}
diff --git a/mission-control/docs/reference/rbac.mdx b/mission-control/docs/reference/rbac.mdx
@@ -0,0 +1,18 @@
+---
+title: RBAC
+sidebar_position: 10
+---
+
+Mission control heavily uses RBAC to manage access control and permissions within the system. In our system, we have defined the following roles:
+
+## Admin
+
+The admin role has full access to all features and functionalities of the system.
+
+## Editor
+
+The editor role has various read-write privileges apart from few highly privileged actions like user management, agent management, connection management, etc ...
+
+## Viewer
+
+The viewer role has read-only access to the system